J2EE architecture of the six best practices

J2EE | Architecture<p>_ ICMs</p> <br>
Although many articles have discussed J2EE best practices. Why, then, do I have to write another article? In this paper, what with the previous article different or other than the good? First of all, the goal of this article readers are engaged in technical jobs architect. In order to avoid the waste of everyone's intelligence, I would avoid talk about some stale best practices, for example, "the daily build (build daily)," and to test everything (test everything) "and" often integration (Integrate often ). Anyone with a good architect of the projects have a clear division of labor, well-defined team structure. They also encoded inspection, to build the code (daily or when needed) and the test unit, integration, and the system), deployment and configuration/release management have recorded in the process. Second, I will skip often touted as the Best Practices, for example, "based on the Interface Design of" and "use of the famous design model" and "using service-oriented the structure of the "and so on. Instead, I will be focused on I had learned and use a number of years of 6 (not much) in terms of in-the-full course. Finally, the purpose of this paper is to make you think about your own architecture, provide working code example or solution is beyond the scope of this article. Now let me introduce this 6-Course: 1st class: don't bypass server-side validation as a software consultant, I had an opportunity to not only the design and implementation of Web applications, and also assessment/audit many Web applications. In the complex, and JavaScript client package within an application, I often meet the user input information to perform numerous check Web pages. Even if the HTML element has the data of the effectiveness of attributes, such as MAXLENGTH. Only in successfully validated. All of the input information, to submit an HTML form. As a result, once the server-side receive notification form (the request, and appropriate to implement business logic. Here, you will find that a question? Developers have made many important hypothesis. For example, they assume that all of the Web application users as honest. Developers also assumes that all users will always use they tested the browser to access Web application. There are a lot of other assumptions. These developers forget use can get for free, through the command line is very easy to simulate browser-like behavior. In fact, the browser window type the URL, you can send any posted "form, though, by disabling these pages of the GET request, you easily to prevent this kind of "form post ". However, you can't stop people from simulation even to create their own browser to invade your system. The fundamental problem is that developers can't determine the client-side validation with server-side validation of the main differences. Both the main difference is not verified what is really happening where, for example in the client or server-side. The main difference is that verification behind the different purposes. Client-side validation is convenient. Execute it can provide users with fast feedback ?? To make the app seem to respond to, give a person a kind of running a desktop application of illusion. On the other hand, the server-side validation is to build a secure Web application required. No matter on the client side input of what it is, it can ensure that the client to the server all of the data is effective. Therefore, only the server-side validation can provide real application-level security. Many developers into the wrong feel trap: only in the client of all the data validation to ensure safety. The following is the illustrate this point of view, a common example: A typical login page one to enter the User Name text box and a password of the text box. On the server side, someone in the receiving servlet might encounter some of the Code, the code below in the form of a SQL query: "SELECT * FROM securitytable WHERE username =" "+ form. getparameter ("username") + "" AND Password = "" + form. getparameter ("password") + ";", and execute the code. If a query result set a row in the back, the user is logged in, or user login failed. The first problem is to construct a SQL way, but for now let's ignore it. If the user in the user name input "Alice? The assumption that called "Alice" of the user is already securitytable, when the user (more appropriately, is that a hacker) successfully logged in. I'm going to find out why this is the case as a left you a problem. Many of the creative client-side validation can prevent the user from the browser in a login. But for those who have been disable JavaScript client, or those who are able to use other browser program directly send command (http post and get command) users (or hacker), and what we have? Server-side validation is to prevent this vulnerability types necessary. At this time, SSL, firewalls sent won't do. 2nd class: safety is not additions such as 1st class,, I had the pleasure of studied many Web applications. I found out that all the JavaServer Page (JSP) all have a common theme, it is similar to the pseudo code layout: if the project to use such as Struts of the MVC framework, all the Action Bean will have similar to the code. Although the final code can run very well, but if you find a bug, or you have to add a new role (for example, "guest" or "admin "), this will represent a maintenance nightmare. In addition, all of the developers, you young, need to be familiar with this pattern of coding. Of course, you can use some JSP tags to organize the JSP code, you can create a clear derived Action Bean of the basic Action Bean. Even so, with safety-related code will be distributed to a place, so the maintenance nightmare still exists. Because of the Web Application Security is forced to build in the application code level by more than one the developer ), rather than the architecture level, the Web application is still possible weaknesses. It is possible that the root cause of the problem is in the project to complete to deal with security problems. Recently, as an architect, I was more than a year of time through a certain to implement projects 6 versions, and until the fourth edition, we only mentioned security ?? Even if the project will be highly sensitive personal data exposed on the Web, we have noticed that security. In order to change a release plan, we're involved with the project sponsor and the management of the fight, so in the first edition contains all security-related, and some of the "Business" function on the follow-up version of. At the end of the day, we won the victory. And because the application of security is quite high, to protect customers private data, that we're proud of it, our customers are very happy. The pity is that, in most applications, safety, it did not appear to add any of the actual business value, so until the final resolve. When this happens, people rushed development and security-related code, and didn't consider solutions long-term maintainability or robustness. Ignore the security of another sign is the lack of comprehensive server-side validation, as I 1st lesson described in, this is the security of applications on the Web is an important part. Remember: J2EE Web Application Security is not only in the Web. XML and ejb-jar.xml file using the appropriate statement, not use J2EE technology, such as Java authentication and authorization Service (Java Authentication and Authorization Service, JAAS ). But after careful thought of design, and the implementation of a support for its architecture. 3rd class: internationalization (I18N) it is no longer an armchair strategist in the world today is the fact that many non-native English of people to access your public Web the application. With the e-government practice, because it allows people to (a country) online with government agencies interaction, so this is very real. Examples of this include renewal driver's license or registration. Many of the first language is not English people are likely to access to the application. International (that is, "i18n" because "Internationalization" this word, the letter I and the letter N between a total of 18 letters) makes your application can support multiple languages. Clearly, if you are the JSP page in the hard-coded text, or your Java code to return to hard-coded error messages, so you want to spend a lot of time to develop this Web application Spanish-language version. However, in a Web application, in order to support multiple languages, text not only must be "concrete" part. Because many of the images are embedded in the words, so graphics and images should be configured. In extreme cases, the image (or color) in different cultural background, there may be completely different. Similarly, any formatting numbers and the date of the Java code must be localized. But the problem is: Your page layout may also need to change. For example, if you use HTML table to format and display the menu options, application header or footer, you may have to be for a support of language change each column, the minimum width and form other possible ways. In order to adapt to the different fonts and colors, you may have for each language use separate stylesheets. Obviously, now create a global Web application face architecture challenge rather than app challenge. An architecture of the Web Application means that your JSP page and all the business-relevant (Application application-specific) java code all unconsciously choose localization. To remember the lesson is: Don't because of Java, J2EE support internationalization and don't consider internationalization. You must be from the very first day, just remember that the design with the internationalization of the solution. 4th class: MVC said to avoid in the common error J2EE development mature enough, the presentation, most projects using MVC Architecture of some form, such as Struts. In this project, I'm common phenomenon is the MVC pattern misuse. The following are a few examples. Common misuse is in the model (for example, in the Struts Action Bean) to achieve all of the business logic. Don't forget, the presentation layer model is still the presentation layer. Using the model of the right way is to call the appropriate business layer service (or object) and the result is sent to the view layer (view layer ). With design patterns terms, the MVC presentation model should be the business layer, and the appearance of the Fa? Ade) to achieve. A better approach is to use core J2EE mode (Core J2EE Patterns) in the paper the Business Delegate mode. This self-book Excerpt from the content of the wonderful and an overview of your model as the Business Delegate to achieve the main points and benefits: business Delegate the client business abstract. It is abstract, and then hide of a Business Service implementation. Using Business Delegate, you can reduce the presentation layer Client and the system service. Between the degree of coupling. According to the implementation strategy for different Business Delegate can be in Business Services API implementation,, the protection of the client is not possible variability influence. So, Business Service API or its underlying implementation changes, can potentially reduce have to modify the presentation layer client-side code number of times. Another common mistake is in the model in place many says the type of logic. For example, if the JSP page need to specify the way format of the date or to specify a way to sort the data, some people may be the logic placed in the model, the logic, this is the wrong place. In fact, it should be in the JSP page of a group of helper class. When the business layer, and return to the data, the Action Bean should be forward it to view layer. So, without having to create model and view between the coupling, the flexibility to support multiple view layer (JSP, Velocity, XML, etc ). Also the view can be determined to show the user data in a way. Finally, I 've seen most of the MVC applications have not make full use of the controller. For example, the vast majority of the Struts application will create a basic Action class, and complete all the security-related functions. All of the other Action Bean is the base class of the derived class. This function should be is the Controller part of, because if you don't meet the conditions for the safe, while the first calls should not reach Action Bean (ie: Model ). Remember, A well-designed MVC Architecture. It's the most powerful one is the presence of a robust and scalable the controller. You should take advantage of this ability to strengthen its own advantage. 5th class: don't be jopo hold hands and feet I have seen many projects in order to use the Enterprise JavaBean and using Enterprise JavaBeans. Because EJB seems to give the project to bring superiority and arrogance, so sometimes it is the coolness of the elements (coolness factor ). At other times, it will make J2EE and EJB cause confusion. Remember, J2EE and EJB didn't agree with the word. EJB just J2EE part of J2EE is included, JSP, Servlets, Java Message Service (JMS) and the Java database connectivity (JDBC), JAAS, Java Management Extensions (JMX) and the EJB, including a series of technology, also about how common the use of these technologies solution is set up a set of guiding principles and patterns. If you don't need to use EJB, they may affect the performance of your. And the old Web server, EJB general application server of more demand. EJB provides all of the value-added services generally need to consume more memory and more CPU time. Many applications do not need to these services, so the application server application compete for resources. In some cases, unnecessarily using an ejb could make the application to crash. For example, I recently met a open source application server on the development of the application. The business logic encapsulated in a series of stateful Session Bean (EJB. Developers in order to in the application server completely disabling these beans of "passive" fee. strong. Client Requirements application deployment in a yi shang with on the application server, and the server is a client technology stack. The Application Server are not allowed to close "passive" function. In fact, the client didn't want to change with the cooperation of the application server set up any purchase. As a result, developers ran into a lot of trouble. () What is interesting is that developers themselves are not given why the Code with EJB (and still stateful session bean) the good reason. Not just developers encounter performance issues, their applications in the client can't work. In Web applications, no format plain old Java objects (POJOS) is an ejb strong competitor. POJO is lightweight, unlike EJB that bear the additional burden. In my opinion, many EJB advantages of, for example, the object into the pool, it is estimated that the too high. POJO is your friend, don't let it hold hands and feet. 6th class: the data access and cannot be managed O/R Mapping I was involved in all of the Web application the user from other places access of data, and therefore requires a data access layer. That's not to say that all of the projects need to identify and to establish such a layer, it just shows that this layer not exist implied is clear. If it is the implicit data layer, data layer is a business object (ie: Business Services) layer of the part. This is for the small Application, but usually with big projects accepted by the architecture of the guiding principles of conflict. All in all, the data access layer must meet or exceed the following four criteria: with the transparency Business Objects don't know Data Source implementation details of the case, you can use the data source. Due to the Implementation Details hidden in the data access layer internal, access is transparent. Easy to transfer the data access layer to make the app is very easy to migrate to other database. Business Objects don't understand the underlying data, so migration only when it comes to modify the data access layer. Further, if you are deploying a factory, you can for each at the bottom of the storage with specific factory implementation. If that's the case, transfer to a different storage implementation means that for the application to provide a new factory implementation. As far as possible to reduce the Business Object in Code complexity because the data access layer management all of the data access complexity, so it can simplify the Business Objects and use the data access layer of the other data to the client code. The data access layer, rather than a business object, contains many and implementation of the Code related to the (such as SQL statements ). So to the developer higher efficiency and better maintainability, improves the readability of the Code, etc. A series of advantages. All of the data access concentrated in a separate layer due to all of the data access operations are now delegate data access layer, so you can make this a separate data access layer as to be able to other parts of the application and data access to implement mutual isolation layer. The centralized can make application easy maintenance and management. Note: These standards are not clear tuned for O/R (Object-to-relational) of the mapping layer. O/R Mapping layer, in general, O/R Mapping tools to create, it provides an object on the relationship between the data structure of the see and feel look-and-feel ). In my opinion, in the project using O/R Mapping with the use of EJB is similar. In most cases, don't ask for it. For containing medium-size joint and the many-to-many relationship with a relational database, o/R Mapping will become quite complex. Due to increased O/R Mapping solutions itself is the inherent complexity of, for example, lazy loading) and the high-speed buffer, you will be for your project to bring greater complexity and risks ). In order to support my point of view, I will point out in accordance with the Sun Microsystem the popularity of an entity Bean (O/R Mapping an implementation) of the many failed attempts, since the 1.0 edition has been torturing the problem. In the SUN of the defense, some of the early is about the EJB specification developers implement. This, in turn, the Entity Bean specification to the complexity of its own. As a result, most J2EE Architects tend to think from the entity Bean out is a good idea. Most applications in dealing with their data, and only a limited number of times of the query. In this application, to access data, an effective method is to implement a data access layer, the layer executes these queries are a series of services (or object, or API ). As mentioned above, in this case, don't need O/R Mapping. When you request a query flexibility, O/R Mapping is right, but remember this: this additional flexibility is not the price. Just like I promised, in this article, I try to avoid the stale best practices. On the contrary, J2EE project, each one of the architects have made the most important decision, I focused on explain my point of view. In the end, you should remember that J2EE is not some of the specific techniques, not forced to join the solutions to some of the acronym. Instead, you should be at the appropriate time, the proper place, use the right technology, and follow the J2EE the Guiding Principles and J2EE contains more than technology itself is much more important than the practice.